From e38966c5f75ec8dbc8ba6a56585483275101c329 Mon Sep 17 00:00:00 2001 From: "Khang Vo (doublevkay)" Date: Wed, 25 Oct 2023 16:54:24 +0700 Subject: [PATCH 1/4] detect reinitializer in unprotected_upgrade detector --- .../statements/unprotected_upgradeable.py | 12 ++++- tests/e2e/compilation/test_resolution.py | 6 +-- ...gradeable_0_4_25_AnyInitializer_sol__0.txt | 1 + ...pgradeable_0_4_25_Reinitializer_sol__0.txt | 1 + ...gradeable_0_5_16_AnyInitializer_sol__0.txt | 1 + ...pgradeable_0_5_16_Reinitializer_sol__0.txt | 1 + ...gradeable_0_6_11_AnyInitializer_sol__0.txt | 1 + ...pgradeable_0_6_11_Reinitializer_sol__0.txt | 1 + ...pgradeable_0_7_6_AnyInitializer_sol__0.txt | 1 + ...Upgradeable_0_7_6_Reinitializer_sol__0.txt | 1 + ...gradeable_0_8_15_AnyInitializer_sol__0.txt | 1 + ...pgradeable_0_8_15_Reinitializer_sol__0.txt | 1 + .../0.4.25/AnyInitializer.sol | 15 ++++++ .../0.4.25/AnyInitializer.sol-0.4.25.zip | Bin 0 -> 2867 bytes .../0.4.25/Initializable.sol | 14 +++-- .../0.4.25/Reinitializer.sol | 15 ++++++ .../0.4.25/Reinitializer.sol-0.4.25.zip | Bin 0 -> 2874 bytes .../0.5.16/AnyInitializer.sol | 15 ++++++ .../0.5.16/AnyInitializer.sol-0.5.16.zip | Bin 0 -> 2968 bytes .../0.5.16/Initializable.sol | 14 +++-- .../0.5.16/Reinitializer.sol | 15 ++++++ .../0.5.16/Reinitializer.sol-0.5.16.zip | Bin 0 -> 2977 bytes .../0.6.11/AnyInitializer.sol | 15 ++++++ .../0.6.11/AnyInitializer.sol-0.6.11.zip | Bin 0 -> 3699 bytes .../0.6.11/Initializable.sol | 14 +++-- .../0.6.11/Reinitializer.sol | 15 ++++++ .../0.6.11/Reinitializer.sol-0.6.11.zip | Bin 0 -> 3721 bytes .../0.7.6/AnyInitializer.sol | 15 ++++++ .../0.7.6/AnyInitializer.sol-0.7.6.zip | Bin 0 -> 3594 bytes .../0.7.6/Initializable.sol | 8 ++- .../0.7.6/Reinitializer.sol | 15 ++++++ .../0.7.6/Reinitializer.sol-0.7.6.zip | Bin 0 -> 3622 bytes .../0.8.15/AnyInitializer.sol | 15 ++++++ .../0.8.15/AnyInitializer.sol-0.8.15.zip | Bin 0 -> 3666 bytes .../0.8.15/Initializable.sol | 6 ++- .../0.8.15/Reinitializer.sol | 15 ++++++ .../0.8.15/Reinitializer.sol-0.8.15.zip | Bin 0 -> 3691 bytes tests/e2e/detectors/test_detectors.py | 50 ++++++++++++++++++ 38 files changed, 262 insertions(+), 22 deletions(-) create mode 100644 tests/e2e/detectors/snapshots/detectors__detector_UnprotectedUpgradeable_0_4_25_AnyInitializer_sol__0.txt create mode 100644 tests/e2e/detectors/snapshots/detectors__detector_UnprotectedUpgradeable_0_4_25_Reinitializer_sol__0.txt create mode 100644 tests/e2e/detectors/snapshots/detectors__detector_UnprotectedUpgradeable_0_5_16_AnyInitializer_sol__0.txt create mode 100644 tests/e2e/detectors/snapshots/detectors__detector_UnprotectedUpgradeable_0_5_16_Reinitializer_sol__0.txt create mode 100644 tests/e2e/detectors/snapshots/detectors__detector_UnprotectedUpgradeable_0_6_11_AnyInitializer_sol__0.txt create mode 100644 tests/e2e/detectors/snapshots/detectors__detector_UnprotectedUpgradeable_0_6_11_Reinitializer_sol__0.txt create mode 100644 tests/e2e/detectors/snapshots/detectors__detector_UnprotectedUpgradeable_0_7_6_AnyInitializer_sol__0.txt create mode 100644 tests/e2e/detectors/snapshots/detectors__detector_UnprotectedUpgradeable_0_7_6_Reinitializer_sol__0.txt create mode 100644 tests/e2e/detectors/snapshots/detectors__detector_UnprotectedUpgradeable_0_8_15_AnyInitializer_sol__0.txt create mode 100644 tests/e2e/detectors/snapshots/detectors__detector_UnprotectedUpgradeable_0_8_15_Reinitializer_sol__0.txt create mode 100644 tests/e2e/detectors/test_data/unprotected-upgrade/0.4.25/AnyInitializer.sol create mode 100644 tests/e2e/detectors/test_data/unprotected-upgrade/0.4.25/AnyInitializer.sol-0.4.25.zip create mode 100644 tests/e2e/detectors/test_data/unprotected-upgrade/0.4.25/Reinitializer.sol create mode 100644 tests/e2e/detectors/test_data/unprotected-upgrade/0.4.25/Reinitializer.sol-0.4.25.zip create mode 100644 tests/e2e/detectors/test_data/unprotected-upgrade/0.5.16/AnyInitializer.sol create mode 100644 tests/e2e/detectors/test_data/unprotected-upgrade/0.5.16/AnyInitializer.sol-0.5.16.zip create mode 100644 tests/e2e/detectors/test_data/unprotected-upgrade/0.5.16/Reinitializer.sol create mode 100644 tests/e2e/detectors/test_data/unprotected-upgrade/0.5.16/Reinitializer.sol-0.5.16.zip create mode 100644 tests/e2e/detectors/test_data/unprotected-upgrade/0.6.11/AnyInitializer.sol create mode 100644 tests/e2e/detectors/test_data/unprotected-upgrade/0.6.11/AnyInitializer.sol-0.6.11.zip create mode 100644 tests/e2e/detectors/test_data/unprotected-upgrade/0.6.11/Reinitializer.sol create mode 100644 tests/e2e/detectors/test_data/unprotected-upgrade/0.6.11/Reinitializer.sol-0.6.11.zip create mode 100644 tests/e2e/detectors/test_data/unprotected-upgrade/0.7.6/AnyInitializer.sol create mode 100644 tests/e2e/detectors/test_data/unprotected-upgrade/0.7.6/AnyInitializer.sol-0.7.6.zip create mode 100644 tests/e2e/detectors/test_data/unprotected-upgrade/0.7.6/Reinitializer.sol create mode 100644 tests/e2e/detectors/test_data/unprotected-upgrade/0.7.6/Reinitializer.sol-0.7.6.zip create mode 100644 tests/e2e/detectors/test_data/unprotected-upgrade/0.8.15/AnyInitializer.sol create mode 100644 tests/e2e/detectors/test_data/unprotected-upgrade/0.8.15/AnyInitializer.sol-0.8.15.zip create mode 100644 tests/e2e/detectors/test_data/unprotected-upgrade/0.8.15/Reinitializer.sol create mode 100644 tests/e2e/detectors/test_data/unprotected-upgrade/0.8.15/Reinitializer.sol-0.8.15.zip diff --git a/slither/detectors/statements/unprotected_upgradeable.py b/slither/detectors/statements/unprotected_upgradeable.py index 30e6300f17..b032114232 100644 --- a/slither/detectors/statements/unprotected_upgradeable.py +++ b/slither/detectors/statements/unprotected_upgradeable.py @@ -50,9 +50,19 @@ def _whitelisted_modifiers(f: Function) -> bool: return "onlyProxy" not in [modifier.name for modifier in f.modifiers] +import re + + def _initialize_functions(contract: Contract) -> List[Function]: return list( - filter(_whitelisted_modifiers, [f for f in contract.functions if f.name == "initialize"]) + filter( + _whitelisted_modifiers, + [ + f + for f in contract.functions + if any((m.name in ["initializer", "reinitializer"]) for m in f.modifiers) + ], + ) ) diff --git a/tests/e2e/compilation/test_resolution.py b/tests/e2e/compilation/test_resolution.py index af7cbe2c77..c3290624be 100644 --- a/tests/e2e/compilation/test_resolution.py +++ b/tests/e2e/compilation/test_resolution.py @@ -57,6 +57,6 @@ def test_contract_function_parameter(solc_binary_path) -> None: function = contract.functions[0] parameters = function.parameters - assert (parameters[0].name == 'param1') - assert (parameters[1].name == '') - assert (parameters[2].name == 'param3') + assert parameters[0].name == "param1" + assert parameters[1].name == "" + assert parameters[2].name == "param3" diff --git a/tests/e2e/detectors/snapshots/detectors__detector_UnprotectedUpgradeable_0_4_25_AnyInitializer_sol__0.txt b/tests/e2e/detectors/snapshots/detectors__detector_UnprotectedUpgradeable_0_4_25_AnyInitializer_sol__0.txt new file mode 100644 index 0000000000..1ca788ced8 --- /dev/null +++ b/tests/e2e/detectors/snapshots/detectors__detector_UnprotectedUpgradeable_0_4_25_AnyInitializer_sol__0.txt @@ -0,0 +1 @@ +AnyInitializer (tests/e2e/detectors/test_data/unprotected-upgrade/0.4.25/AnyInitializer.sol#3-15) is an upgradeable contract that does not protect its initialize functions: AnyInitializer.anyName() (tests/e2e/detectors/test_data/unprotected-upgrade/0.4.25/AnyInitializer.sol#6-9). Anyone can delete the contract with: AnyInitializer.kill() (tests/e2e/detectors/test_data/unprotected-upgrade/0.4.25/AnyInitializer.sol#11-14) diff --git a/tests/e2e/detectors/snapshots/detectors__detector_UnprotectedUpgradeable_0_4_25_Reinitializer_sol__0.txt b/tests/e2e/detectors/snapshots/detectors__detector_UnprotectedUpgradeable_0_4_25_Reinitializer_sol__0.txt new file mode 100644 index 0000000000..79cc306fea --- /dev/null +++ b/tests/e2e/detectors/snapshots/detectors__detector_UnprotectedUpgradeable_0_4_25_Reinitializer_sol__0.txt @@ -0,0 +1 @@ +Reinitializer (tests/e2e/detectors/test_data/unprotected-upgrade/0.4.25/Reinitializer.sol#3-15) is an upgradeable contract that does not protect its initialize functions: Reinitializer.initialize() (tests/e2e/detectors/test_data/unprotected-upgrade/0.4.25/Reinitializer.sol#6-9). Anyone can delete the contract with: Reinitializer.kill() (tests/e2e/detectors/test_data/unprotected-upgrade/0.4.25/Reinitializer.sol#11-14) diff --git a/tests/e2e/detectors/snapshots/detectors__detector_UnprotectedUpgradeable_0_5_16_AnyInitializer_sol__0.txt b/tests/e2e/detectors/snapshots/detectors__detector_UnprotectedUpgradeable_0_5_16_AnyInitializer_sol__0.txt new file mode 100644 index 0000000000..36309ced37 --- /dev/null +++ b/tests/e2e/detectors/snapshots/detectors__detector_UnprotectedUpgradeable_0_5_16_AnyInitializer_sol__0.txt @@ -0,0 +1 @@ +AnyInitializer (tests/e2e/detectors/test_data/unprotected-upgrade/0.5.16/AnyInitializer.sol#3-15) is an upgradeable contract that does not protect its initialize functions: AnyInitializer.anyName() (tests/e2e/detectors/test_data/unprotected-upgrade/0.5.16/AnyInitializer.sol#6-9). Anyone can delete the contract with: AnyInitializer.kill() (tests/e2e/detectors/test_data/unprotected-upgrade/0.5.16/AnyInitializer.sol#11-14) diff --git a/tests/e2e/detectors/snapshots/detectors__detector_UnprotectedUpgradeable_0_5_16_Reinitializer_sol__0.txt b/tests/e2e/detectors/snapshots/detectors__detector_UnprotectedUpgradeable_0_5_16_Reinitializer_sol__0.txt new file mode 100644 index 0000000000..99eac307d9 --- /dev/null +++ b/tests/e2e/detectors/snapshots/detectors__detector_UnprotectedUpgradeable_0_5_16_Reinitializer_sol__0.txt @@ -0,0 +1 @@ +Reinitializer (tests/e2e/detectors/test_data/unprotected-upgrade/0.5.16/Reinitializer.sol#3-15) is an upgradeable contract that does not protect its initialize functions: Reinitializer.initialize() (tests/e2e/detectors/test_data/unprotected-upgrade/0.5.16/Reinitializer.sol#6-9). Anyone can delete the contract with: Reinitializer.kill() (tests/e2e/detectors/test_data/unprotected-upgrade/0.5.16/Reinitializer.sol#11-14) diff --git a/tests/e2e/detectors/snapshots/detectors__detector_UnprotectedUpgradeable_0_6_11_AnyInitializer_sol__0.txt b/tests/e2e/detectors/snapshots/detectors__detector_UnprotectedUpgradeable_0_6_11_AnyInitializer_sol__0.txt new file mode 100644 index 0000000000..dc9612b837 --- /dev/null +++ b/tests/e2e/detectors/snapshots/detectors__detector_UnprotectedUpgradeable_0_6_11_AnyInitializer_sol__0.txt @@ -0,0 +1 @@ +AnyInitializer (tests/e2e/detectors/test_data/unprotected-upgrade/0.6.11/AnyInitializer.sol#3-15) is an upgradeable contract that does not protect its initialize functions: AnyInitializer.anyName() (tests/e2e/detectors/test_data/unprotected-upgrade/0.6.11/AnyInitializer.sol#6-9). Anyone can delete the contract with: AnyInitializer.kill() (tests/e2e/detectors/test_data/unprotected-upgrade/0.6.11/AnyInitializer.sol#11-14) diff --git a/tests/e2e/detectors/snapshots/detectors__detector_UnprotectedUpgradeable_0_6_11_Reinitializer_sol__0.txt b/tests/e2e/detectors/snapshots/detectors__detector_UnprotectedUpgradeable_0_6_11_Reinitializer_sol__0.txt new file mode 100644 index 0000000000..2708424239 --- /dev/null +++ b/tests/e2e/detectors/snapshots/detectors__detector_UnprotectedUpgradeable_0_6_11_Reinitializer_sol__0.txt @@ -0,0 +1 @@ +Reinitializer (tests/e2e/detectors/test_data/unprotected-upgrade/0.6.11/Reinitializer.sol#3-15) is an upgradeable contract that does not protect its initialize functions: Reinitializer.initialize() (tests/e2e/detectors/test_data/unprotected-upgrade/0.6.11/Reinitializer.sol#6-9). Anyone can delete the contract with: Reinitializer.kill() (tests/e2e/detectors/test_data/unprotected-upgrade/0.6.11/Reinitializer.sol#11-14) diff --git a/tests/e2e/detectors/snapshots/detectors__detector_UnprotectedUpgradeable_0_7_6_AnyInitializer_sol__0.txt b/tests/e2e/detectors/snapshots/detectors__detector_UnprotectedUpgradeable_0_7_6_AnyInitializer_sol__0.txt new file mode 100644 index 0000000000..5a4ccf71af --- /dev/null +++ b/tests/e2e/detectors/snapshots/detectors__detector_UnprotectedUpgradeable_0_7_6_AnyInitializer_sol__0.txt @@ -0,0 +1 @@ +AnyInitializer (tests/e2e/detectors/test_data/unprotected-upgrade/0.7.6/AnyInitializer.sol#3-15) is an upgradeable contract that does not protect its initialize functions: AnyInitializer.anyName() (tests/e2e/detectors/test_data/unprotected-upgrade/0.7.6/AnyInitializer.sol#6-9). Anyone can delete the contract with: AnyInitializer.kill() (tests/e2e/detectors/test_data/unprotected-upgrade/0.7.6/AnyInitializer.sol#11-14) diff --git a/tests/e2e/detectors/snapshots/detectors__detector_UnprotectedUpgradeable_0_7_6_Reinitializer_sol__0.txt b/tests/e2e/detectors/snapshots/detectors__detector_UnprotectedUpgradeable_0_7_6_Reinitializer_sol__0.txt new file mode 100644 index 0000000000..f79c9c662d --- /dev/null +++ b/tests/e2e/detectors/snapshots/detectors__detector_UnprotectedUpgradeable_0_7_6_Reinitializer_sol__0.txt @@ -0,0 +1 @@ +Reinitializer (tests/e2e/detectors/test_data/unprotected-upgrade/0.7.6/Reinitializer.sol#3-15) is an upgradeable contract that does not protect its initialize functions: Reinitializer.initialize() (tests/e2e/detectors/test_data/unprotected-upgrade/0.7.6/Reinitializer.sol#6-9). Anyone can delete the contract with: Reinitializer.kill() (tests/e2e/detectors/test_data/unprotected-upgrade/0.7.6/Reinitializer.sol#11-14) diff --git a/tests/e2e/detectors/snapshots/detectors__detector_UnprotectedUpgradeable_0_8_15_AnyInitializer_sol__0.txt b/tests/e2e/detectors/snapshots/detectors__detector_UnprotectedUpgradeable_0_8_15_AnyInitializer_sol__0.txt new file mode 100644 index 0000000000..fb08aab174 --- /dev/null +++ b/tests/e2e/detectors/snapshots/detectors__detector_UnprotectedUpgradeable_0_8_15_AnyInitializer_sol__0.txt @@ -0,0 +1 @@ +AnyInitializer (tests/e2e/detectors/test_data/unprotected-upgrade/0.8.15/AnyInitializer.sol#3-15) is an upgradeable contract that does not protect its initialize functions: AnyInitializer.anyName() (tests/e2e/detectors/test_data/unprotected-upgrade/0.8.15/AnyInitializer.sol#6-9). Anyone can delete the contract with: AnyInitializer.kill() (tests/e2e/detectors/test_data/unprotected-upgrade/0.8.15/AnyInitializer.sol#11-14) diff --git a/tests/e2e/detectors/snapshots/detectors__detector_UnprotectedUpgradeable_0_8_15_Reinitializer_sol__0.txt b/tests/e2e/detectors/snapshots/detectors__detector_UnprotectedUpgradeable_0_8_15_Reinitializer_sol__0.txt new file mode 100644 index 0000000000..2eb7d5feea --- /dev/null +++ b/tests/e2e/detectors/snapshots/detectors__detector_UnprotectedUpgradeable_0_8_15_Reinitializer_sol__0.txt @@ -0,0 +1 @@ +Reinitializer (tests/e2e/detectors/test_data/unprotected-upgrade/0.8.15/Reinitializer.sol#3-15) is an upgradeable contract that does not protect its initialize functions: Reinitializer.initialize() (tests/e2e/detectors/test_data/unprotected-upgrade/0.8.15/Reinitializer.sol#6-9). Anyone can delete the contract with: Reinitializer.kill() (tests/e2e/detectors/test_data/unprotected-upgrade/0.8.15/Reinitializer.sol#11-14) diff --git a/tests/e2e/detectors/test_data/unprotected-upgrade/0.4.25/AnyInitializer.sol b/tests/e2e/detectors/test_data/unprotected-upgrade/0.4.25/AnyInitializer.sol new file mode 100644 index 0000000000..9ad63bcdf1 --- /dev/null +++ b/tests/e2e/detectors/test_data/unprotected-upgrade/0.4.25/AnyInitializer.sol @@ -0,0 +1,15 @@ +import "./Initializable.sol"; + +contract AnyInitializer is Initializable { + address owner; + + function anyName() external initializer { + require(owner == address(0)); + owner = msg.sender; + } + + function kill() external { + require(msg.sender == owner); + selfdestruct(owner); + } +} diff --git a/tests/e2e/detectors/test_data/unprotected-upgrade/0.4.25/AnyInitializer.sol-0.4.25.zip b/tests/e2e/detectors/test_data/unprotected-upgrade/0.4.25/AnyInitializer.sol-0.4.25.zip new file mode 100644 index 0000000000000000000000000000000000000000..143c2bc5247ad601d63a91458a6eab99667dacba GIT binary patch literal 2867 zcma);_dgU41IN$aDP=30uXWBIAt%JSaA#$cdC1{x5@&=mvz;xQ>=AJ`ncd+i4C)mu~+!9sAIc93QzuGw^ z|28|FDxr=hHKS*oFSJ~x8K=J&UGZ9t;o;F&1}WVE&1ZV0K}5H(tKm+6(V&HJ?kv<% z#b*Zh0JIuE>`C;k=gYGW=kkit#Tdx0E-2#uw;DqQDTNkS%12DZwe!An5!=UGo%%6- zLV;|(g(tU96GVD$T+SkOK>1GM{HJ84rS)p8sT-95-;ZxQuC}_jd|{2Eh(Auz_Py25 z#tp5PTVnf-C#eZgC+^)9D`;tJdWyiyFDaSo(9C46x*gs&rQcwGwuS=+$L$Ncu;Jp5 zUk+S<5vb{lz8j>!_tnrrYf3YZ#Lw|<0KRsr@Y+^BgH_%%>Ap-8HL>v6mm-sEdyH%e? zVpop+Ycu=>xB8Tf?2kFcB1c8uREuf!MsY1z;SbcP9w zEzTI+&erJ7j=UJ>d}OQQOl{JZR<3sUE#reDcTE98ILVGM`n~!1?%8oA@p9`9%sG*E zn3@@7d)jaI2_$cs{3auZL#I*uuuo~?LIBeMjlHJMoE!ZK0iA$DQ+oM%)_Q8!R*D0t zovb#h3I%hg?Y|fTf8=HoTM=dFuNcw6Ng7`fz6aG_k1YbiVoe@L)FfViCT~%8N8WAJ z1(vY<<&7pJLYzxFX+qXr*feYT3bm+W(uAK_Wn}R#(duhSO~O|zbc)n=`F8vHVVPcMVP`jjX@%*u~(bBbh^u8_k;E$Hrh0;+pF5E<14xdf4Us` zUM)r-54gL|ANG8|C-q|`YiLLHKCcWM?;gT`OPnp7x4xt|=J*DUH?8iK9&7J7$g1jj z`F97RFymYkDp!o>Pr=RWzuJ0?)SgyxjG0xR^(|91Qr>Sjl!!xJh`&Ju&y}dp4StQf z=Brz_;^Nxp6?YV2apNfY{X|S^*+D47>EJ!+IMmOSi<(^#4R4?D3$T&asj!BOgI6Z~ z4DNbHNm}Tz{BlQwPe+7m-4pnWbm|r<8s~AG;ye?$X+{@5>OJ}q^u?YrD`}#=C{2X& z6=qnvSJv!=^xUXgE-|;?H8`r#+Snp$<9Ww3xWl@XVzvigCCr<>a^-70j7&q{I}s^{ z86uw_f$-0)gWKe@9i6=vrZIM9R%}Ro@+{$f24q3(x~u8koQwTCIY?7#dM^3=)DNtp zLFU-=8x^x#hl)mf)t_OkO>#Qd#ftc0cdyO`lB)r`CtS!BJu&7A$#941`Eq3W>xhgB z{~2sdapCNHnRD6J>z;|%(C^9`ie6XRFx6K~vGs)A-U{9KQ}w421BXfQ1nA_KCa?(z zcEWxL(@1NqjbOF8r6+55Kt0zB){#qm9LylvStOTXDp64RfwGSwarULVJ3E!`KcxLh zC&J{EIFUzA$)QT*Bwv4J6tk7*gutH;b1J6;;I*T+>{+YR>eeX+w{TJ?Mifi^KK?9s zs(PsRn&&ON>*$*lOU1z7&#dx~)Y zkRp^}*6#J3M!(A!2~Ca+7&S08tOhTx<*J+Vnh#6jgtkqsHcIwgIr1J0O=3T)uXQsX zM%X4d2)d6P`{vxNM{xT~NC%U3$m-!nLaGK-AZOS3va^hq40H+++BmZjlP^yuHsXEZ zcAy0Pa+}3BB&`#5KUQ#BS8d>cTIN{~8U0Hw8lO=$JiQYWa?xcnuRLY-CBs$bA=RsJ zrmEgHst5r7QiuOj;cR8R*goi)X{yJ-i~>Z}>SvKbWuB|2zg4WDgOvO3B1lVPO*kfS zYS%vw8>CBXZ>1a*>d(z!au9DCw>7M?c%rYio8vIfiG|D65dx=e`Q{8GA2phBIdo>Q zU;=rxRmypY0g|m%iE7Jh;*2#3Qn@=)Eto+W1wdOM?M`Vh&H>BI%Hm8sj4ik{)|Q#n zU*{v~2P>IPJt=F!Y~us8PKi@lo>NlJEAnw01+{wLXT;V89zow9G7u@(U3Ob?tZ)sR zY`2L(@du49iCiC;tKqKvzzB`??z+YLTYCofcj3^Ti6!H*bwIe9Cr|=X%Y6((la+F{ z%W!em%|@M@Eu8QikecDOQW4~Z>N-=}m0J;{ocGqOqdT|E zUnGfkK5o@xLU}u5WlpnVMy1IcThj7B*0>Aku?vePf17L1aT{?9`w(fv8Djt9nA0@0 zU_WlE4U|jTJorlVx>^-MwewB;T|8uW9)buMXL5GiE_}o+-Nri+JkLrcj5g844)DRN zhSSW82X|CzL(Mfy_;fL8sBg>*^fEkBXg^D_!J83E^mU}*nlNz-ge33db!-V2qqaHE zL&;{td^(6^3}>i^KNzS%&h@4}x+1D$u-1OX3U++Cp99(tbF!DmIV5-YbkZ3U>N=M@ zm6VjyklJrA=i3N|zfkYK}XFrqLtO5&{WpQ$2obcx_aRQ_K(X zv5qC;O$$(1i|XfJr|LAX{izv%S!K~bYcTfMVoINxVrKo=G4iaJG~`|LI;H2V-!six zn})tN=YxF;#w)7QSMV9(#K{_(h`b>MVW0*e_nf5coY`ZHyi z0+A!~G%_}iC!OB{>;i~?ZuUe_3w@+Ktg3KiO-wv6453)ym>@pq068^}uvb!dVrH?v)fnJjthG`nnnr#=|ds5;PT$Su0$ z)&8YNVvDTtEFj?NXKKFgcp+1QeReFtg=-}EfNR2;gbiJq@bNlYewkCpa;I*K*HtyH z`l#>H;W?l^qsZ;G>EWN&56Uo!4tLqdJ$7I4G}!n)fU~Gm9A%4j6L9!N2cx^WVs1S@ z*@}5!|Ks0(Zt%`;1+O$oQ9~3lc461WcEi&;Gt%I6>xvh?hNGLerKrYTwcgPINVs+B z4&aaqM*`{S+&O1Wpzu!eTaD&!a^-EiMFMP~*XoeFY3O`RdrnAgrW415gPUyl*tZ5e zrC4Z)P+*{dgPCWxRpqwmUy;0XH@&uFH4{@)i&u98j{+WZ?Xf7K z*z1PtLj`(1Zy3|wlK+0v0NND9&6a97d58Vk|nbVPEMQ&Evr`KEoU8KB$X!<(5I zJm*ajt;%mrezH^~EBlShpBk_yn@a!5N$58a2CpL(m-S|7S8_r^i*Im=40C%VvM@IV z#7!6Ouk-FiG@CoI?Qkj4$X7x2vN2+bfMb1r9Lt>-Q>bF z_Z*G1T!^y#aUuf6!e!D)vx+Cj%_-0T@oR+Lvmda%*s>Da-$J=EH1KZXX5XXu{{QkhM{g|57_Zrt@XTc zj+iKv4dZ>MCjI$|$@JdM@?xH;#u&A|19%qypA&{|a)Yj9-nGwqYJ;5GVKyGKP06*8 z0z?DFSQT!!)S$rZR6t%>8#n7cc^|t|+0*8S zo@6Qrr|Tk|e#h|-P?cc~15+{<{pwO0l!6y}Hk7A*>#P+>rSs!SCxE0OT_5@xRt5MpT_e#n>-?qv()M0Y%HeT`aH@A?K zJ=}h>e4aWavXpedBqeI>2flNf7w&U5bc%lHWZzke+!wWR>yaBTJH!F_5*Ul>3F#9e zT`VPn`j6UocOU$D!Kc9l6uqizbbWxIXVMi5Bj2KSPfJnBK}vq&WQL@U6EH=_wro4w zhg$`)`gg*aGI3^1LT#3OG@l~zHZ)@$6*jH-|I^P z`6#vCHyUQmz_{2@}P5W=rSB_E5k9js3>?}tIw zcKS%?hla|;-vFwK;Fw^wlNs~QhTG!nFFxH~5*21@@O*r?8&@T=FQQckPnK~7Q=+k& z4Y`_Dq8K^6F=G@CeZTnyt9TgYHAT_LKF_HgpmRD>97i;wf_cc#VW9%zKI^2RV3o67 z!JbdU2Fqw*`GntW-_DNR7`fbL8w2A|?S^RVnh|Y2#LK5|5`3i{(Yh|-!N#6lLroNz zSPNGQEWKT_BmtIHqu^I--o=9hYbf<6-kn zJ?hTWolAil9QcV7ZT#53fhBkh(%nB@UHlw-_a{43gW*Xe%)}lP4P~~M(Het1J^jAW1qM)tkUSV!myb9CY+RJQm z2A&eHzz6l6iL)EBHRmJVW>hDKq@@e$X9@y|S)-}1fmQ21)Z42YjMPZ^8q31Aq6=Po zW$mwBL=R9LNeoQD==Q5cs|&vwXp|l|z44r%_HnJMmnkSA75yX4;K+}D0q`Z6-dI^`n+K1WV-n<=AhgUiZ z<)s#0>f%BaZW-z1CU;-ec;(bOIq8Vmeqb#s6(_=kwq=NW!jGyav6$tS`krIV-kitn z_Va){Q`<-yKXR&je7fg$iIU3wIUVY`;&6UCA*dr=`@(inod0Y*AYBtdR!!OMJ;0^znS}d{jKiNrSA{4bc-$dw+=ft>bw215sYB6 z@NyXRl*1{!@o$aQd)}PiZ8YJqFdG(i?XIll{V7snZ+{8VRa!pmvkQ-lQC%P%hufsT zpa)>ybCD>->v3i6Rl3F?v525x`eqF=6ECpntw2W+p0#Oak+tWtUqGOH78!n?`j4Xz zryhRc+XpmL+s8%>2Idqf=kOo0zzQyfzI_b&S``NR_2I0LGFhMObU1CC;`U0Jq}&Gw zBkntN=m!z5MGsSf64FB47#gIRF6@ zhum_vo2XLMW=PyLE^xU-?$vxzZ-VKndBC+_*wcv33dqIp5dYEd)c^GI)4^c^j5PCh zt||ukCy>UKn>DQtM|f||x_1jedi69P)MWnhVTI~T!C1$p`1_azw12H+zm4C3GrzKi zj`X>Hthv2)nGtAE5tcxs4mjBI^33k~_T;;as{)jId~&o>aqbVz`)Usky0W>~t1g4% zXK}t3iJ<;yXy{wo$wgXRN?kWYYt0WvZg@U=(%%WNzivmhnr!U#MIxyV8-D=(oFMa& z190n~;&s^T!ut`$m-8Q5>_uL5G6pG!6;DnmPH`H-Sm|S8Pc!~du?}&w`e|1QRyu2f ziJa;+_>f)=nuF+d0dxR%Kv|rAXF&IEdYh}3Xwwx2e^1e+zk#1b#V*v@I{4t$@!s!gP7{=ob01? zqI9o#>`T*iwikUtC<&rqLi#O!9id5d2e;zR17?U&d%(kuJUO9NaSk#0NxwnEUb$7W z_+f0e9l8RRfWz{NYodik7E+i`@&ZEl=Q(G#kaW)^oZcCQub2i}wC=;St|+&jpH0Sq zgEoJ*d{%CI_Jkp&nlUT){YPPJsYd;n=|)@`L5l^xy~HAG+^rXF@(Q!y^We0vB@}}B z_V6+ey4jv!R{V>Bu0u?N4D@)y$}6yOg(-lJ2O*VY^$7B0mi=3#SUuZ zSIof{XBv)jjXv|Qj)wES#ri)GN1n8oCdDwF#6G6Py`13s6SL=mtM4*4OXq?&)Fj?7 zFEzVUYKN~TGv(gEdM|bq6{z+2H_w$k=KCJ$RMSo0VUzT*UZ674p?VcXv_G5nmPrWd z%(Sz~Js^|91q;&clWE3k8RkmLWdh^pdnQv;yyL{l8l!+T# zh%67errswrC8GT}%@-&t!HsnP3m#^{0aF8(&WE}W2M*_Y27eR*9kN$E4Xg3W(Py6B z`wF-1n@TETLw?QrrAV>2oF2E9TAmc?(7x@O5PQP6OMcG*73ebwmlF@j6Rx;qMcfSz z{oRyJ^iVYAxffRX=Jq961k-_+{4s8L7p*-aW z3R(#->K+{9n6bHny^}*eOobKGo-&Uv>!w}(e)KiW<_2Qu(nVVttyCBC2{F2_&FF1Y zqlv>%P{=-`7lsdiILX$Oz(mlxT zrfJRjr2CIF3h&T$w}nZBBx5gv(Uv_H&KbMsq*8?I^t^t92xPCf#WN-(?faQ?p@hG% zU3oBG-?AO`48 zgZao3+l|LRoye~d9Ix#q6)G2+d&hb$xA?mQDYPxtDr@Jtit6Zhx|;47A)_~LpBYt4 zrfb-_D+oE@N(bk}mKtGqACfVz^!83+v9zGsxx?rCq$(AQNwa;c2H2jyqb&FO9|yve zdL+4l2V>u)26|+-=D|Mg@Fq;*k5bf1Muo0f93SAp-IT4c1ApX9 zW$xb8!WI^9aFXoTzasR_*Hcy{AVF@Sbg1Yig-kh9;|zYGwM~&~!S)Q`3WzoIHuJZ& zMrFWpBi_;l^SdBQ+*QZ3LPWdq`#?(otXrZ?vPy+8X_K1nnMszP>-n*obUE^tnDHbk zT}EuMEd3~+59ZbVw##zYC$V&+_wQ+P!1+v$j=6A?(A}MhXxX-Ho!+8|nhW7fvG=8G zm$kWwpF|vn)kw7dDWLH0SW(9k%Azp5qn?D5b)3V%G^RIqer4Sxxgf%q_fM`$uffvo zJ^1=pjTagV1g+gSsi?D`y;byLqUH6aA=HCkamq8VpguRiw4b z2S4Nz;YFP17p7?p(Q8&>LP!+97LS334 z4ZHv{WYxbqr`>oZgL_bot#~WT8TWJ)sv+?(nZt0!+i(Y;$W3i483%eQm5ms%vCcy; zO|`>OF)Ria>EFbyF~wVmVuR8QYnAK zXvP|@LgB37YJMyvX)v=8Xw9{iUD z;6)%~Q zS^Zu&kuxdejei4E?|@G54XW~ME`U6G^4c3^bSrSb;y}h+>1i=3r!WfGPMMO3;I%wF zXojiFhHt@3)E@}iG1mvE3ovMezsWZ22f!w!Mx_F8;VFL@C@ce!EIFQX1z4E)*Iew+KGCmdL_Uq+S`y& zEl8Kqa-NpDo*@GXu0iCf4EcSi*)_%5xEyiiB&@C^7jOFS4aeua{4gJD!q}P90YTR` zSSXJLzyz$bjad1C*!q!kjdx;i-?*z<7F`r>^O>HB5FDkkqF3ivo$zMn77HuZqb)NF z>ch@y@g}i1>nWb-SSYqUn-9!S6f!Cba#S0Bv!=_J=en|_)!4yL2K-Hn)fzaOq!i1X ztp79sRB9_*{8U9>KHQ&O++kH710`FI=r`-So*|Mz$jB#cB4_I&&!KL%#b#7}dlrgCTxDaOts_T&M+W4UaM5A_KzLzaU^<899@mWS2B*Mo<+3VPFDBWL4MUn18 zS0!bb3f@MI8pJNR+=}tQvS%5MK7pW;Ank$_N&h-qC>A!5*C`E6p-PDEUt4uid=3L< z;hg@0NZ%C%MkN9-3@NkpOZ%f5y%5?@3N3Lm`+k16YfkxEJmXB1=~3o%L(+VJYX3L zUKu&knWA*!c%fXrIU420qtcH5QI!!N#QDOoiKi~v&jdnH@+C_0f?x0X={H#SIxb^6 zFV@Ni*UJXAiK=}mt5vm=szq#t*voV5ck(`dZGkmRyUWQQeY()~<8TC#wSW0}6ZGT# z7iI_WEFpW+=}F+mGSVDKrwjVuzWk3e|2HwffARm>Gt!&^{O=q1Pp$u<9LvA!KamNS AU;qFB literal 0 HcmV?d00001 diff --git a/tests/e2e/detectors/test_data/unprotected-upgrade/0.5.16/Initializable.sol b/tests/e2e/detectors/test_data/unprotected-upgrade/0.5.16/Initializable.sol index 779a0e87c9..c19577db34 100644 --- a/tests/e2e/detectors/test_data/unprotected-upgrade/0.5.16/Initializable.sol +++ b/tests/e2e/detectors/test_data/unprotected-upgrade/0.5.16/Initializable.sol @@ -1,5 +1,9 @@ -contract Initializable{ - modifier initializer() { - _; - } -} \ No newline at end of file +contract Initializable { + modifier initializer() { + _; + } + + modifier reinitializer(uint64 version) { + _; + } +} diff --git a/tests/e2e/detectors/test_data/unprotected-upgrade/0.5.16/Reinitializer.sol b/tests/e2e/detectors/test_data/unprotected-upgrade/0.5.16/Reinitializer.sol new file mode 100644 index 0000000000..cdf587c494 --- /dev/null +++ b/tests/e2e/detectors/test_data/unprotected-upgrade/0.5.16/Reinitializer.sol @@ -0,0 +1,15 @@ +import "./Initializable.sol"; + +contract Reinitializer is Initializable { + address payable owner; + + function initialize() external reinitializer(2) { + require(owner == address(0)); + owner = msg.sender; + } + + function kill() external { + require(msg.sender == owner); + selfdestruct(owner); + } +} diff --git a/tests/e2e/detectors/test_data/unprotected-upgrade/0.5.16/Reinitializer.sol-0.5.16.zip b/tests/e2e/detectors/test_data/unprotected-upgrade/0.5.16/Reinitializer.sol-0.5.16.zip new file mode 100644 index 0000000000000000000000000000000000000000..0f8b1e98475645e063a808c52ce50582aaf1252b GIT binary patch literal 2977 zcma);=QkUS0>)#LzV@D>FuA|(UZ001EXfJ#h^v-GvJSMJ0} zy%Kd+k2^x3jVChRm_rqWN42m>{qhG2ftry42Uu~?7C$Xm0`D@Y*)6`c%6}1>WR5D) zh)nfk<5xuS@-4>#udzt<`4auyu@P~afK43~v#IN5*m$m?%q`O>|sUNtm zYQw%kzL*{}6(>S4W3m@;)v1SA#7J4)Td=C_I&CLyo`IYp&Tsw8&#^u-PYN-+Mtz)z=YeseVPbjFfBVXR<}w*wBa(yAlh6qX3$0 zqvXq2c{UJ98ooXF;-<+U)%5M%M%TtCn!O%}ad9fAUSIUVw>DPFTCvAG6zD`gBc&X+A^ zDq4Fr%U3?3UKYcpa0ly9KRWA)A3A1Izp6JDPCiQFURdtsd_oy{jVhJX3bUG4|0K^l z($%Is^-<8vvG1Gpq3n{YI;cz;L0R(Yc4-@2|2j7~9;FDco>!PAncNmiHs8H1=or+= zu=nH5j8c?&sDmvcuA0^=XCj~yaFaVCAmrYC{+uaXYR^O(SV!t{UahOGR4qIn-_=P7 zbD*{tuv~l87bH(B1wR-!Y-@hqD4ym^1{J??)e^4!&@5)K9_gdLviSmrZj?pL-;Tbx z@Sxn$nK#5hckq%5o{v2V$c12$g+LW@+R-cd87vzpeQ~kk82e;1_V;m|l~g)BI8E41 zodw3Vti4(z8F6<$X8am~J{_9I%5v_pS{0ef7MPW9`qe$cLFhO&|^*;Jo2lsX^>=c?_KJJQnJM zq?O#8XsOc3Dllh|)8DPVYFd%J(sdV!D9FdnP%qB~Jmwl#JD^RDyX&+&#sryj-M%+@ z28}rw?2=2uvTFwmLfA_qoR;fbE~B`$gY(~LqcU}y&G|WxGgJhi26d;FNp4_6?DVS7Z0CaxME2%a8%>h!ddS9WEUB!=D$ zS3#Tw8F`SxaM^%rS6yT0otbSr5sIC;b}W2Id2TORfr z1{>jxR5K4Lpst)};+N_1Nv%vJMGQGdt;*~k6sTzvz){~-&d9_4Ew&gkSrN@h^WHaE zfJ`Px*Sk5`0gyQZJ#51`aGIwn7k6>Af_856B%)vB@Pd6ODq0-}#*<``jr_(!9(?>X zN93+SoCfW7mguWI8JWm$WD?6wh-(9Mmi$ zwwWxuq{vriorrdb`gfDu!RCHuE8*rLhxzi9vq2xFvrPth=+LoC&e?lPLhshT zTw96WOvW^^&a3IBo36)MaSP0HC5h=I7$>^qq}OXgg0q@If7dI*zn|`+KOfZti<=M> zNx=b;VKZaC=bj5n6GXM0=Fu{@M8|=R2QU$vGuntbk%bTKdO+y_5WjkVuaZD*owv2{ z;C5iO^iXJfLrFe0&Uca^C@UGWm(s3%+(_@Wor$d? zk*M<=)d`v*NSh>W3{VYk;%n1ai;5@>{aY69V#u5uTC^CZd{JT7a8vH8>M!g6((YbC z_0jQJ_KoE?IgRW2vqH;ce(BlQL6rWv+*z~~n3*tljRR_n?zu4cn0;0)U!%5EEc3B4 z*NN}o{Ho}_D^V{^rq912_I7C_C2XSku20=TT*sIn52k4Q;OX2gbNu*u$KKh3_x%PjoxHA2VLU!b<2easWr|o^WOiZ> zJ^eGKAwhYJpkc!}i(nz^s!zfiopsH+UvS0`vqKfb@_Znna(dH`o>-2Zq%V}dr6};c z{_Vi%WKB^2`y3fKlY1Rw)FhVpRUe{iWHCd?)g~TjEi7ogRsC!N4q%9C?@^%hv_@QL zx5#(gr1;qD4}FbJjbw+c`^_B5BF!iz`JJlXm??%s<_c@2u7gX5C8!K%Ul+Th08%)R zoWvY92#A`kX>~jn=(-a2(I~%>$X&G3bJ6 z;n(@KDm?32TTAralDB)e1V`&+BN!2}8p;1Q=YQn+zX>7w7yp+>8^OrP|2-4^( I;m*J7Kfgz^=l}o! literal 0 HcmV?d00001 diff --git a/tests/e2e/detectors/test_data/unprotected-upgrade/0.6.11/AnyInitializer.sol b/tests/e2e/detectors/test_data/unprotected-upgrade/0.6.11/AnyInitializer.sol new file mode 100644 index 0000000000..bccbbc3ea2 --- /dev/null +++ b/tests/e2e/detectors/test_data/unprotected-upgrade/0.6.11/AnyInitializer.sol @@ -0,0 +1,15 @@ +import "./Initializable.sol"; + +contract AnyInitializer is Initializable { + address payable owner; + + function anyName() external initializer { + require(owner == address(0)); + owner = payable(msg.sender); + } + + function kill() external { + require(msg.sender == owner); + selfdestruct(owner); + } +} diff --git a/tests/e2e/detectors/test_data/unprotected-upgrade/0.6.11/AnyInitializer.sol-0.6.11.zip b/tests/e2e/detectors/test_data/unprotected-upgrade/0.6.11/AnyInitializer.sol-0.6.11.zip new file mode 100644 index 0000000000000000000000000000000000000000..b2608ec1993449eb8e96275638a14b255a68b36b GIT binary patch literal 3699 zcma)_Wp3IJjN4Im)W%!F&A0NHmJ006oG00IC2K*=Kz z;oFEI^B?DLj0O0_D917(Ky@q;~ zOpZ1`xm(cZ;mqI38Iz>XD$g~CY-f@@38EC_YI6%d$c1oifob`~=Uj$VzCpHD!50x} zCdlfiF$meoL*{AC&Cp7q zK6_ATZDw**=AqUz0W!o#e13xEkT&LfSyJG$(13cUl?r{EYY1DLJ#jl9**)9PD@3|cD(s;@F=opIe+7I0La#A;X zX{=m7_S}H%O5n$hZTpTL`^6LjZgHD_L*g6wg3L(jU6@d}8P1*~wYO6?!2A5xhB8GF zEXRHV`!=#?$#@c0Y;OZe(PaAxdZ%I<`PNbROIG8s?-#U)zLeC7B0tK%=~glkh* zr7Avw9#rPR@X+^#%r4mYRN{A-cH#r};XU6M6BHd+B0M&1TQ12ue7j%+h{}~zF0Yni zN4mActBBC~dRk~IH0GKttGy0nX=6ZUGub0f&*`5|KCS5XZQ}`UNBrE?Y+$~Vs6^tj znc6we?o~oOudl}XjOkaoT}qief`K1@9VW7iAF|w3!E;~RYtv2X@lJV@9$zqAc_dO; z(EMuS2l*Kc>npe+=rKT3OjUyk4x)5U%9aAfI}~oLG!krgWVH(JiJ_a}Wdl5(pZPjaQk;Ze_aTb;JX-ITk-H&>6= zoA^Ho@n-)7jTRdv9G7%&c8ZEgAKYP;vM*MSiR#Ew+V!&Rm)(CT**o60Y;|3K^^vAA zzi)mKn6M>tY80j*Ka4sD2@@IX?@V5VGnp+8_#=fcuZz|EOievnl@ABW?`Cespc9TU z``(g4_g!_gx>s~Y-*H=C@|({OPVET?khlNUx6ZhBr4_pebK1J}TCs1q7rq&a@)orU z`nVlhYKnvO%n7-P%@4j;Z{HVy)P#_SHCJ8t8nXy1mT;z^KI~4ZpQC42l6Xrv-_BmU zJl>{%@{ye`w;D!zvH`9&P!x;U`&sSvv+fsST*z4vo$%;ac->G*$-{fFUlP0i569S5 zE5RNQH)bxK$(Gm>(5dvdHc_I^i%->cwD?c$N34xP9#wlT8(;2^WXPly`A&t3*!SK9 zG@x8zUzcH#h**1c4purKO)%1k9g<)5b#uf2b!Sffkm!4|cw6RUEq}Qrp^gmZK^K}5 z9Ev=XmBMaNt~bPJA}_=glF717HBIDYhXSj22y?2|xXx8gZPB9NEiXPE z8&C*Lu%vfV)x|6?ygOO4HIV5rZ#DcN_iSj8W9i^~S^{w}>UPf~P)JU8Bq% zwI*b%{k-gBW6bFVtUqCeM6QO>MQ_>z%f9tFX5pLAUBO$L0yXUnJN2V%~nh=E*Xjm9J^?9*e;o#gfA zvLteWBvJl6NhMn+Q(>qaAp6kOagq^WE_txVTvm+8?DjWr4j%H{GQ0e^$ELg?IQgDy z$|4Bbm(_aYJg30ukVu4y$oJ)9L@8KjtaTHv@#_Gb@YH8NzU6eiP= zmnspwiFWBC4ccA+dR9&iJucC}!Am4LYT#x5-4`=&*;g#L-++A<8HF&d^d4Egz%OvgYGLnS zmr+CUR~8M@03St1PHvi074g~-@3xfbBFWM{)pCpT=SzOD{Z)FhaC-i~W~IV~aDayR z!w`YNUpxX$yyoAjCMlj!4mA<7MMDR0(5 zB0So$$8N`m0~Tm^$&?d9~I_DLK z8ta!;b|jt~M$}W1#!ML$?=5Rgu!1;20_P;kXnZgg^^r|O*t6LjRwCaB5IxKJGvA^@ zQr(Efh2E*(cbBp8i!Jr2{v1lVZ;J-96f&nNEV>`#)~;%n<>4xpLSB%_U{~ zIW{1^oyF!L`3cvg3DjochM)@dU%V{9@Pr0tqp~-`q6*=WPALJ}=+QlOGM*EjAjQ_7 zZ{G-q@3 zdXze+FB($TSCkwaJ%~pj_v%NHel_!|Tr%w~3C6Ktrn{v#EINw5p=>gN1X-+XRh

|BvyQc2-0o|_=G`o-`FRm1uL`d`6_bP))x52`CJi{?*xfCSr}OHtibQcRrQQ1dBHNR9T;?u4(@)pg1BXdAu@<_JlJWJ+J$~xT}CG`c-s(Mnc42=UTbB zNH8MAhG`1rqGbuBm3QQtq)KI$0eMHzSic_^*y?wwEf`juk=n;NiP9ftCK!;6N~?O6 zTolQtXTW#(Hcj#wb_*Ww=Nq}<%(ZXwgweq!Gu0NAjsMV1`MHCon=W5{Kvtk)IFm|o z3v;r5MV))!x@azI8w?D?*WFrjzAFdyrPO^@47;In_`wKb=L?gu6Cn{{TX4l08C@>I zMRsOVww|NoVOe;et^(6xpd$a4`eVVHHly;wI}MF2k}v8U3qP=a1}tvAu>PZu><%>6 z52eu!@39VXHY_^UMe4CEHK}WR9(cP0dC&EEqiSyTY}?2vbay!>TiT$(qyOxX>Gnhu z9B&?1^+UP6npywu+HctcV>Fd@Osh&%#K0ZrN^WRf5JAngz(?ijz5Tje{^p!iNl&AAEVa<71n z2cdDnze6uEyoFQ|OCZSD=*&vTOg>f@0IC>6ytQZQPvEJh<{5!bY9$ZR{1S-x3?#~! zUfV(6{We*IsO0?gndWNoC4!D$)UmBbNdJo5@d1nKo3fh;Wht}01B32;zzftgC8vI{{6a5$eKQPqQA|wBAP4uq~|4ksxf9-z& Df2;O| literal 0 HcmV?d00001 diff --git a/tests/e2e/detectors/test_data/unprotected-upgrade/0.6.11/Initializable.sol b/tests/e2e/detectors/test_data/unprotected-upgrade/0.6.11/Initializable.sol index 779a0e87c9..c19577db34 100644 --- a/tests/e2e/detectors/test_data/unprotected-upgrade/0.6.11/Initializable.sol +++ b/tests/e2e/detectors/test_data/unprotected-upgrade/0.6.11/Initializable.sol @@ -1,5 +1,9 @@ -contract Initializable{ - modifier initializer() { - _; - } -} \ No newline at end of file +contract Initializable { + modifier initializer() { + _; + } + + modifier reinitializer(uint64 version) { + _; + } +} diff --git a/tests/e2e/detectors/test_data/unprotected-upgrade/0.6.11/Reinitializer.sol b/tests/e2e/detectors/test_data/unprotected-upgrade/0.6.11/Reinitializer.sol new file mode 100644 index 0000000000..d8a81a4cea --- /dev/null +++ b/tests/e2e/detectors/test_data/unprotected-upgrade/0.6.11/Reinitializer.sol @@ -0,0 +1,15 @@ +import "./Initializable.sol"; + +contract Reinitializer is Initializable { + address payable owner; + + function initialize() external reinitializer(2) { + require(owner == address(0)); + owner = payable(msg.sender); + } + + function kill() external { + require(msg.sender == owner); + selfdestruct(owner); + } +} diff --git a/tests/e2e/detectors/test_data/unprotected-upgrade/0.6.11/Reinitializer.sol-0.6.11.zip b/tests/e2e/detectors/test_data/unprotected-upgrade/0.6.11/Reinitializer.sol-0.6.11.zip new file mode 100644 index 0000000000000000000000000000000000000000..a74cdfdf4d8b6b88d23c6ea9f1deca66155804f1 GIT binary patch literal 3721 zcma)<=QkS+pvDua5wj?@YLr+pswiqptWv9~z14`3Aa?EX3Z-a_8ZB+r9;LNft5%KL zVpoh(E0kIlMw;sdpo#>_@ey-9Gv`JJdi=IQl1zz3Ve+cUm6`HV4goPp~!*QebNs4rSD_hass=(E@j7O$VhC(m$4kv%vcC0U*AaiduOFyAmp6BY9G+9#JNih&06}&Q>N)Eb63QHU241w z*NOg6?JDF1>$Iuk{H6Yg_>%IB#7QH(^^B^oMN}n=Q(om(m=j`4V{H+J9r|%NYeLje z#0A&6OUiz3HWKI^0EiZY^vZ@V+S9>LM{(rbk*ztF7yg*)@Z{aFDSFJ-n@s&_)?X*m z2EmjfWTC8YpsWLKY>lZ;a;3nVfgTpHP;=>2E?27zcJr>Pw$Xymsht!tJ=tw6Qf(6* zK$QRE2OXnPg1(l#Tao_`wm2J`=1;VB38A)_b6|fT!p3_t&73OSEryc*-q*tt`g?D4 zZs$~bD9A6VaYFTQ0IFST#9>7G729Xn@!Fkm=WnXmjRkP^?fYv~sKFd{)23*hp_G64 zFb~$d$tDk8dD-AnLbjQ80zNJCzI!$LBB%mU@Ccr`y@zk+2QE}ucpA#35YnnV>&3t` zVF}wmG_R_pRUVVJlN$WS#>eMU_9lM*9>(dnP?t?VF$?LvlSC?$4s8{Rp-PU|`hjyQ z+UC8;`_mGsooL^|1MZ#PQDp%Fcyro%zVMg`l@QLq)A>ME_GE3o!@_x)bcC&3&*akM za0>eydodWD$nRW}EUKNWEqFfnWZBX*{?wZ$eVrt9X1j^tdZc70t!st`#*U#g?8g}&NE;FL~8c(jsX8|bf|-t|H| zWMYxT(NX6yAy-8BZtzy_ImIqkk)VPNm0A-CDJd0TLr7fV{2}WZFV<0bCuP~b2)ki# zJ(YE9_B!fSwPDtVKI>}|#Qs0wpmUABApV7p3D@0zPx1A)4X#XkMij4%=_i!iCP7!e zbCk~Y*C${8O^#Sc^cOq$_i-`ZlaymWBqv>BFOmUoCD(9{aM3~?rTTvFDyVX)UrYGo z2dzpB{oq^zAH&wPN3wtfGozIPv5k%h>iuX>NL&*R|X+^Uk*T_jt4@xa|Qni?`Tno1**Lk>gt+3bdB5 z^=e*ch(0g7XZYpTXj5DBL|49k{%^KH>xr%y2)7yeh^|h*kA;+deInw}Sh&eZBZ$M~ z+r@6IgTu}83UaX4?Fi=^XW1X+m&OGv^)t#w8mR>jBim-idF_UVekS}?D<}4JXNs}D zfVm-hS(UKJ<=k~hsa;x3MzOy{5;~uqHm0Lk=E^uJ;;2S4cr%A&#aEs5)p(osNeY`# zgAa{yx`U>EcQKJqQn`c(;Bsn5pEIg)R6)7KI43|%(N%qI+<>7{O(aHAFw{3->r*T) z8CkUfk=32(X!u9GCG4ok*rL}D{P7MfF!-VV+yM76)hh2$!mFO1!qv*}ZylWVCvk;K zvk`Fr?HoiI@@zQo8(+a@GheR8vk&&~EE8j%KUmeDC0SYEw~V2bHi4W#{}VT3d@UMe zpzB9B=W#y3na|cV^9#-whqPt8zjUMaPPnReL4El&)e-rRR@ajZ7e&nqJ+`K2tlK_z zWC8Mya5K<3?h35rIoZ}(wjBL?aNlK~kvhp9#TS?F<|G30IFmp#o8Ds$Acj>PI})0H z?h{BG3OgYubn|gQ2Gch_KO}u|XLPxT1KZ3nQ@MSeD4im)i@@DNWR6uRBMVmXQ3(8$;#NDCg{?A99GujI z{AANo_cmhZ;WT7E2mY9FJ}4M z0?#Wqvf;y+2v1+_n-xKaN{VAbU2_@M7HyoK!j+5qLD&FxI@w!;)|#_$)9WuB^F`0W zP)#+UPEP^i^(ZH68n9*?;dJ8io73YRXn&|qYf{iN7!}ee%y4J(r!yKcx_*buFG7Kv z>()qQxG}4dF;m<;75`f_Q-0BZ!sk}0kK!_I&~t4gq7+l360?nmm>LbCGh9SJcS_Rh zN=BXLs{DS{;?Sx%m07m{DavlJGBmAwg>wwBaz&MqAK>sHP}TiR|KNpP(Wy+W-9 zrMUYtX+$-dxh)jcK?kmhJqzW+Od-f|nE>8=H*AoAs*M2DvhTPVa&Rlht zErsSaseroCv%4=ksGcs3jLs3QtY3OuFLXKJxNRiDNMFwTXY*OEKKJ8vdl2Iy_N}N) zEK6jc9BI5`R%wqkcpwXuPNi~~NJxN1C4XLrw&N6HUEW=-+4~|f<8u5(v1|u@zD5x$ zDl5B=?V zGH`ucpE^ttU0MG7)q|t$>q*zgRm;VVxr2T6^p*D*e)K%Yg0lh_Y(AEY_MQy-!Dro3 z^{tB&&M7%Wkxq@&Mvej^xEK?gKrD_xe%N=%D2(eU9i_fWit8+ArC|$v-c@y~^;GKx zD79qetKoVCX^9Ynv7I+syv@@vPdCQqg0J>k{=6XfXmK_2beo;mU0#4xK!fNkujNN{ zndszD?(rAt2TV?X6jLvlBmYT+pH{0}7BeLV;8Y*-G&QD>A2+S8mA7xNqc`zGs0L@p z+oQW?vR}c6Cp6U8K;lwGXZ7aeY4oyABs^6Eg2fAJzw$ie=~X^`d{l+4rYr803C8PJ#!#VZtzQ+Yt$RN z#J_Pe^-kPo`9rE(&8bhOOz$5x_sD6jGJbn(Cp3L2R;8C`RXMdAL0gBp@6sCm=+S#l z@*s_ju0m3#bG-QLDwN~0&TpZBWX#iPM{-zdDg zBD5ys>x(o6dm=_(c`jc)CaOMRK_xu641&JP8A!md#0?~!<>DUv*kz0VP?<*~lg$+D zN>r(_)OAT-d4Cwt-T+Vi3_cP&OzMMUdu&6gdG37u@R2M&O%E_J08*%f{%=G4R}%j> b(ZK)k|MEo>14^p@&cJ{B=wI?P{lKYeW?Vi153Km*v0HZ_?)T-%3H0{}C2001`t006^-wcsv( zE;jBiAr3ymzMk$@4nba?K7Lj~hzMgP$ViJG_01ycPC?q5}NnA^K7ylY< zm8Z_bz+Je|9I>eetcsj7zFkaWN1+rvoSp7rdnjSfKS0`NA~UYvRr`hitOC!YGE97{ zlw&hPn1OP>kDn|jQe30l{Z5zY=kWT3SzH#)Y5`kX9xppiRmq#&(svD>$=n1|9P{3m z9a{P>`M#d_PkpG$>Et?nsP#K?I1Nj%?}b60&AaW3O%v0~by|5%imCDW7L~T_Sc7PIDYUjZH0R-79#@ zqLeky2M)&}lV(F}sB#Lk#n;_HZHr%fFX4)7E(p&ON~Mjo&Yt)mw7JF;U^4S+#wJDa zQMFopib>FE(q~KEtDQOee?`$W#gCQ1M1URjMc->z#^4gdXq*~)gb z8MPUWHTRtEACcbO9QlE7HJa9-K|h4pnbF!#S(*nPO-V7C(c;Tp`U;xTjdylwY`{aLN830&YJ{S|4Z zSYA#fyL4%c3bY6tPv6M<(=be67-=quX{O@2L*+5>R<*U$CDF!)KUVIt|Xb{xYuM#xe zif8p{#$)4u%pow{C0qh*x!-y%5xwv^5Dg&sBfR9)>(r{Q z>Z0U+i>E**wKh!G)JaH+VKA3p^C|S2ya|jGsxF-w;g@>UG>kG@i!5NVY40*IHD;bV zr6q5qW_IV7NIL~%Tv4G6Bx*{cI@Xs6Q%FKz^u5fp_kz6LS2fl~ao{rPbIZFPQ-Xs@ zt#sd!yEkABr1tV~e$6#p7&jmO_d!uhKGR*>;Dg0_>@H;Oo7=%3+C2;NMP7NJEB>x0 z(*S0+Ou9|&IAj1X(LY%nq6s<`9cZDm(_g(qoMuTb-!V|$p->i24YZPt<}eBYWx35cMfOs66FnaN6IO=CHyfN!4246qx{{M|tovX^U36**Uj()o%!y~1ML!NBO_Z2qqwO+!fkhABks3|CxM z8gq5PZJB>;aGFp0o=IG(g?gf&|F(C_;ItDiI15a=^vR6-HFCtk2Ot*A`5Iyn+@mV3 zdNCLSc|N#2sH>Vy{(*h4o#(h;&S>R++)*)FRhkkKs64;vij|k4TkjSsUF6QWCR-iD zo2I&`C@GJKIU`nt#C^f<=l=YwhkrR0t_RIF}mp1Ml8rDnfhkOPy5OAKe!q@ z=K|SAy;x9^3SKj=l4kY&10Nw0q}ZnO@(qL+0mPZt99Bl(qT}`6KLmMs;x4S8c$hj~ z4S)3lK6%Bm-Ef|{OYalb-J*KL#G&selSLrvU6nW;uZc3!8Rhy1U7d^m9x;!+(|0?7 z6)8zfFIC`Iekz_eESX1;GQG%-Q+W&V`*Lx2J$5BHM8Hfuaa2L)6Q9ikau=NaI~%1l z@T(!&wG{w`9|pqiHyi3d4fD@m{X*`Opm`a%ISvgAzW&W*+R|}HD!9Y5f@m6+ktz?` znwbc0BXgAt+ryMMH}qVb#h;sHMbLR1X*r8xvwZHc9ZH8#5wYvAId~?84c$e(YwBf&f44C@--0ksTVb96rxw6~Js*G@;eOSaY4=@mwqC zn{;gXu~p&ArL#iM_BI4*yNQ5&u4b62Ap#wndzDnB4Dv_kwSP`Arh3{CtRCZ7O;A9( zX>%tpczQXs!>kuuhr};N+5Y+YjYA%a@tO$}vI4&u4;h!Bk!I(59_Trn_=Wh6aJ@)? zBurf6onT$qGT0OvKa|v+47nTKvhs$KdPYYHXTmAsWX)DnB)9mrTW}lh%EtnELM}^A z3a;BwSRB*C5|z3dS*e?&YOJhufeVd`BZ@k`>_PT-Bv!H|s9awnagDmYG9H*KRh#nU z!RQ{~v5hon&a6pSlKKFZ?ZCuxcu3`#(8pE#&04cF^oMp5#V)VF=C7_Ftdk6t%^99N zmkTdUW{`dqW5^40%Y^r-QrJC#9;2QQAp(-~cXo}JjVB%>@#)UimVhZ$*2HD`yfoVV zh|pqP!}hC}%!ZFPw;WRajwl-BsF<~b*=s!iY72-}oHmf>$Yb3yXa&yHK(JtjBH-NU z#pL(yfNg6vMD6&wPd4{Gqu1lEY*3G@zxEkz&rn1CiPkO~+b6-KWN|W#;_AHZk_u5kA8j$_Pcb&N;Is=!nvGMO=a7SGiap%Y@}f=! zyIFcwe9qMP2x5EU-L6L=6<4S+u;0t5++2TebRC1;^0}YvTv#)UnJzQ5cJ}3_J}1Ol zQa#IqDvp$XIPd0>shu%45qxrs;)=}5?RB5sCW;GC`@gPBk~mkopUWK(T%7`tPH=@r6ufbkWben;K_R> zsz**=-hA3xz!931D=Jryff~3D4rjkRC1Sdwp96Nyh^9|0-0XGTvr9DcJ*bTF8t4n|0KjYc{Iq(c}WC=$}CbV{c* zqxSl|-=FJx&iQbEIp+u5TIvLZvH*Ml1z;!0*ibw+>Yfh}0ARKU05|~vfQ~)P73K-E zhQoa9-T6Hba7+95ZxQaEme%gJZ(!c`{7xPSS5iVEfH?pV2mnY&L^ulH2)pHv4}WYOUBLG3P&Ae@Uw1#DLDkDoca~I__tQUmmd-hJ<8-m zQ+?>ck{%$o**tn68GBaH zv7;6o$j)tq8=YE`s$9>-Dv&Q!hPu-%ciKYPa$MszPdZO(4x(rV4JniPttC0krw44Z zMxam~h?AbA*1k}i0+}^o#Q?tmM)Y+S23C8R`S3WB1K!z|it(ug0^`?YS;XF^8|Ln8 zG!(3izWTr(R+xJ9$5^!--ADtPt***`FmOBgLvq9B%wS-ha>ht7rI^a{{q9WR@lBpI z{fc=iX7JUS;(poUeQZ+snO<}sN8huI4ZkvE6)iqWf!AMMI|X{ce&FS_JfH#^MwJvr z`5jHAp6AXy7sPa<69zkkyV(KnTW3;ry&Id+Z+kqoLgN=w{oO0`7@^l!CoTEYow4U& z59#Ew*(r)`p2g1Op0qnldPPa4gSYXu(<_+K>iOa8k}H|$F?P!!QP2g{tTpIJkUR9} zZqbpi&`yeYE92#GO>eF0O6GZ01fveETxNYkjEn`MM|6Oa<+Mgl-HgKTcWRRr4$}^C z`E1fZ;run`Zb_5SrKw&mmhyB__lB&Ul?D7!@5Gkx{&rW@6SwC*@)>+s|BmmL-{+y! zT_6Ub8y9?@R(1_@OA-qTmi0nC=|7cJ_dv(m48Ya`=pKS?pth(IjJ>tJP-}{#g!uH~ zH2NkJiSV`FrJN}b?Q^dxyfk%cEDL+P)QvN&-FAVSnys0`XgiIu^OZJz4l3C|WPy4Y zt<`#xMQH3>1+6}gVtU8qS56l<46%;JJRCmjXBxTh6GfLtf0eU&I&(R?M7cfuk^-aJ zZFjEc(t)!LykLz=R4EOK>Ms+7WnWP*W^w8mv+Pv3g)Hq+L?qklV-;MD7SS{!gQQBr zZ3^rJj1MX*t}LhL*ALZ+u0)Ke3O=>$_x#~`>=QmPJH_w?Z|N-jz$Br>5ivNfNyvyA z&{+6Azsa@pmaLa7RJbFwgawkMmHpU_eCE12n)k-#I`jb^7-_Y=dT-c^#H=Z*g%zv` zcZ0k8n}>*p=C{k6S!VAI?O_S^l$ct~XMCr4k80c`8!3s*5Y(Y!UuX$W?Ap0zKBY<| zN^fkWQRZPaUtR!-n=kog7y}FVV>Zk3qIv!rMn5r?st9_cz|@O!2u=dV~!dzGCp z)byNYR^`MsJe>$`3d1Guz(`s!B>VR^0`L zm~ADoghX}D^-P4D=lJ`FGXw$(g2g;E#Q%;Xn={L-9S`v!i{f&z7K-D_=sRbhWVtq* z=kFAy6@v~6>gjB#JC_DO^PIsqfM$t&6!|2*fY>zfIB zB6}c1nX~)p-X*?WRxQo%hc}*(hbbC|Z3RrXYlUm}^0W-JS+*YW>E`Tek$Jy#cg4OW z``+P6DG0O+cnJmHU_I-edln1!u1~gJ#U0L*$yg>Kj%?1jfgtvM9^zr2)6H%Usteo` z6^iRZ!P?9G2gxIU%4^x6P-hz!za+VQ3(cIw)%B-N&4Dm?@xAO#K(z?-qmF8A{v~MuIFjnvkV-wjO$g*OSaJYz#{>iYN54D<`1@`IdbXdrbd1k&i zLJC=T>iR*yCy)`{G8tEwJZ#OmQ+hL>8bBUXaIR+^vAi)C${{Q9m5SzzJZvrkw(`c$ zX{ZKFf~b5`Ku5_$eYgA=?eUrmx;z<7*G@L3EIE8Rym~S=!_#}qMp8o{<{ zF-blD@Bi`x{5EpS2)#w#p_Q$J9&ki8Jr+3IoPCsLYWjW90`V)a$F7K73Z=<2E`^5f zjlil@r){*$A+#da%GV~Nd9%8=!BbS^jZZ1~CjgG(A37+;w@A7ST=1GiDj@!OnC4eI z&EPktb)qRp6}+SRoY5s%Kgyvj=DW58 zBhAl^r)A_Q8FFOZMlV@5X6@B|hub=*Uv7>bIr4pA06$y%fPh8|Grx%RlTFRgIDB6} zW_oQKj?M9H^L{m8OjG*elAWroe!3Z@9J%n6*6vkHNgxS*cPz%SA zRNV4e&C(hnbsmE~pk0$Samhln4&(MUp3I@e2$EjEgLvfOE=rf_iDEPbgd~ULr-3}l z11aryiWya0QV!Z>s6IAmvjpg?%S`YNHpI6`RTBiyNXsF2qM-Vga&^hx*?g_JV{d1o zfUU};rvNpq*fo>Qbkpovp%vfRQ%=zQ;H>goWFXYeD=3kIr3mWcMLhszb(WTn^*nI|3l>%qsmWaf{6;Y@sg6Z<L<}Q;qX-h%AX+=GUV-=%c4{^X}KSES!(50WRpW+_(P&mh2Vg~&o*2{ z(4#BED5gp{OGrtLd0Aq7lw5NIvtN+FR}MLsSKdt=sHQJmhWCqpyS0Iig{IhO-UC-5 zL~3EtCUSY_tHk`YhRe$`zkKpd;u1uH4H)IO@X4nZvFj03w5r<5>@SHwOegoU#%eUAbI*cSgqikZU`zF-(!1jw(OIPm{`qkHNtZy1;wUte#>#2VFe#m7A>B9n5 zWD+3NLutD^zVA_{L3mw5uZzA&fRNLJtX}D}X#PSGADg+U5w*0U++%3#|yo|y^N(grbou2 z81?HK8!$l9E~?;MwvS^WCESwtOvdDc0;@n0Kh;u1b?8*h)lv<1$fAS}ixHy)V$h6) z=7i4D_vc5&DD805hLlKaK1G_; z{>ii6PYf|b1p&HgqDV+epc$>khB)q1zH2VwB)D`3n2fx%ab60#b8sKiTuxg9B^(B$ z_*KGmgpy1#-5Cc(tCJ^}GR-FYEBeVbnvzyKS9E{U&}3b6k5c2x0Sn}EHKuQn%tcjw z=IKPw#uTdtyUB4DPe7M1973&?`jg}{ay%p#29YkFt#6B3j8Bbm9X*rRCi_+n`OP2JKQhdhZ5Jh| zJ|$1rBY|^GT>3aoz7d4*)%z?En(=cpJ#M~unf`&akS?>A=hdYgpzxbpux5=w%*15F zFo|w9YSt9<_p&}p$)MIE^*5-Ik1L{axX^1a!HA&YUTHBIq{3qEJOJWInEoJ}kA7pa z?h)y*z5Tu zHz&8Ry(tI=TTldaj%iuilB?Vncx$j5&txqs_hryA+zhTcalE(Aw`_0g6p7QNV6zW0 zyOlY_pys7qFrw*3dGa;6XqI<-yvZYykQgsuL=;lWZ!ERyGHZV8ySGgVcptj=_!b|tlD=MDZ5#X%e-n=~F#}#)P*DCd zo+}OTRrIv9@b$u~4aMjz9#X=)MO$ds`Xd(+MI0cjf)L;LE_Q1{OC1kimf*kZ+dqT* e{{-Uw2mh1IX{i$t|7VQ%ue$&E^`8v_0RIOl0rs*0 literal 0 HcmV?d00001 diff --git a/tests/e2e/detectors/test_data/unprotected-upgrade/0.8.15/AnyInitializer.sol b/tests/e2e/detectors/test_data/unprotected-upgrade/0.8.15/AnyInitializer.sol new file mode 100644 index 0000000000..bccbbc3ea2 --- /dev/null +++ b/tests/e2e/detectors/test_data/unprotected-upgrade/0.8.15/AnyInitializer.sol @@ -0,0 +1,15 @@ +import "./Initializable.sol"; + +contract AnyInitializer is Initializable { + address payable owner; + + function anyName() external initializer { + require(owner == address(0)); + owner = payable(msg.sender); + } + + function kill() external { + require(msg.sender == owner); + selfdestruct(owner); + } +} diff --git a/tests/e2e/detectors/test_data/unprotected-upgrade/0.8.15/AnyInitializer.sol-0.8.15.zip b/tests/e2e/detectors/test_data/unprotected-upgrade/0.8.15/AnyInitializer.sol-0.8.15.zip new file mode 100644 index 0000000000000000000000000000000000000000..9da08b61b090ac06cfad5660e4b6d09d5ce3ebfa GIT binary patch literal 3666 zcma*q=Q|q=!v*jdMMccoiWW(1YE)}f)VOU`d(xPz~)kfWEI>wV&T0CNB!8~~6-BJIWSVjhJP zBlXgtydGBvo;G$wqArUZ$E;T?gXl>RIfSFxIruPJh+~_Zic5Ib5v$lOwEc_wA|l1m zt4slr8OX%_+>7(kS}Zv}+u8eUm1Y5_Lzu;5j#l#BQgzX8I#a|sHdj7Qr|7%TO@|U$ zypx3_5;sy>d;tb0$Z~0oJ=vMVlb`(+uneoGX0v2X>{t;S*}06`q;OLj@kiANtmU2<}j*5ul#6Bus)M*H+`XNVjfPc zVsO9qA1)4oQ*6|9>MIiO$?&2c;*D9*8Qv;PmGBVX{+J)cLEtA&RAG^z3HdLG>cNUmesrHk$-Sy?)1 zYMS}0D4k>1x4SDePj~2fXh*F;+z|LHV+#m@kLRQoUE8?3rm*$Z-A2xtKev2(37RQ5 z>Psif7JBYtnXhwuzg;yqI2gd0?=0b1;9;}ytTiSgv~46ggD46qLQNp-x93^4>ySaV& z#q^mj(ZB;TXcQHX9qI7%>etPisX2UAZNJ{W$dZpqZr?^t=PT-)%Cy;*H@?wF1hCOw z`DpwNEIa2FIGqy_=+x7wqJj5HZayIvP2yODRHV`=TWn)it1{G*hKZzH&a~e- z*lAV%0ndbwPS_>8;}vMkYo@wG4f*I>(%HT1@AURUjCiP){2cNU^S!kt5~6M|>)AI9 zX6?)haQyTWY>X&KK2@ryvhh6{{-NG|Rx9x#n}617X*!WX<&#Ra%rVdV^qKiWovo`s z3@sx6*s~&dKF>yP%=_=SCC2(s&Y%`Ra(CER2t(M;Mhd%r3?HMU)yWf9;J!2W|j)JKHDfiAUrzn+znK3Eh z)+qTpou$cI9rXUUQprIUOC|B9?kKj-u^n49L+kyDuUyiGIfC@R42p$Hmgr5)c{YGjRF|8frTsAX7o3HcbfPU{(Wv3p^S81 zoyzw=U#mT^BYELApD2CI9_C(q?(>!J-8~&vkCd5zBNrh>8Q=9`rS?dVnpuLnmS}#r z0>klPKqHzZ;ZKD|>2ysXKT22elyOTKZNT$12p#ZDNdr+PMw%q_2u6owyJHkACu(eB zir%v2%}JZ)d}NP+cfmo(8*|F>biGef`-fH;KsV~RX2i2l#hjALQVlvS9BFndRxV&d zW9QXXygOD*Pk`Io#ioIl?BlA`ICkjt4u4-4Z3>w>8IA^D%*o&%uS=`WDJSkHhPn0C z!$S0i_dnmT($oB?dbJLlAZ*OI9MRAbjN}m7v|tZmubfg_Qr94Ro+x?a;KEhB|5}vz zrw7JMpMLL>#jrB1%lFxV>}jscB8p6CSM+9iEg0y z^h!Q#_Jznnl{eJtfhEiS&b`D*66$)WLT@o zvP<07ujV0*`@TI(-pyr@9nLT`)?lgv?|hTeXHq{} zUGIx%%hA528)P`FE_>!(8blN`*t>3eO_q5mP3r{4n#pCstPxwv+3yJfkIfo4`JP@( zhPlqxsJCQlt!g10NR+A)u%_?N4pj;!{8#^n%VpVkA>Fuq3bi2}vZxuBWt_zuokIzmM;)uiS(t3Z;9gj;GRBu{X~5sZGjQ<;d6 zr>_&0KJqfYQO*A0{y|k@RNs6H>&)$LIszw)pw8{hEICmV46`!#q~tAOakGoT@GdlP zk*pH3Uc}AXLUz=X{5%Y|R+2zNl)gph5HQxrIR~HU@?Pf{;${OWk`y3l(p;lP%3GB@ zj&ah$G^QZJBdVx6aGS7^jn;Yc)`t0|IMCk&;s`ux)HeerXa{hfxzaS8u?yj`2BY~# z02Xq9HRysQ?yZuUiGAdk9OpZ_S$p2RO8fiHWSyP{RtE^YVogTG0hx7P<@?S#hnV9= zRlw4PbkMkA^y8`!G@7OgMEBd&dhVaM;uF*mo9QCt_HsSU;Q_$qt`#0%{zjxoHu zIL3H>k*1l!ub@@!`X)HDi96pDu)9GVtq~t8hBxY$iUI z><y&Xxv**&be9Bdxbn_GCg@Xx#zr?WNZlmeNkm$OOJ1ql|Mfsz}km}B1 z>$Bg+()-dn28@wQ+z6>kx*D5J6@`ldyHYxtG_wuJG2PeFze1%`w^l+9PTOmC%CqWy7?G(hC0;yeWb}3K~FVPiDe_Flx zc=xYwPR{kA3o*4qEdo!3h(h~9hNs{n$^lJ^ss=1BN>EP+YXt#}p}Q-0!=i9xap2BB ze|qXGrC*nOD)EVX42V=_(v}C6TMJioOgDE&hzw;fuvdmWM$KKPd{x?)dUpnXebO!? zr2uh)sA_cwk3T=QRE}a?>siVgq#U*r<_v!oBN58nX0{hMYSc~8apwa1$XO-NzlV{p zH4;o3RuE&3=`?gp4FM-0eSPOdd+){IxZ0Y3A3$EY`>wf-y8pHwopx$1WM3SIky85jIHzO>Kl?w z@`!%In`I~>&meM@d5gQG&aX(tkC33ED#I_1UAG}>!O^hGnCm-5m{JrIaWkc=gL~u4 zE`22?oL~bujlHB7vOhvFM1SA7GMvDhN!jVPO+Z&ioq+HK(SMiTzu5c#gcJN{{x|pO VsNW;`&zs=i>ixUh|H=^n_&--P_3Quu literal 0 HcmV?d00001 diff --git a/tests/e2e/detectors/test_data/unprotected-upgrade/0.8.15/Initializable.sol b/tests/e2e/detectors/test_data/unprotected-upgrade/0.8.15/Initializable.sol index 4fd7561c84..a095b72274 100644 --- a/tests/e2e/detectors/test_data/unprotected-upgrade/0.8.15/Initializable.sol +++ b/tests/e2e/detectors/test_data/unprotected-upgrade/0.8.15/Initializable.sol @@ -6,10 +6,14 @@ contract Initializable { _; } + modifier reinitializer(uint64 version) { + _; + } + function _disableInitializers() internal virtual { require(!_initializing, "Initializable: contract is initializing"); if (_initialized < type(uint8).max) { _initialized = type(uint8).max; } } -} \ No newline at end of file +} diff --git a/tests/e2e/detectors/test_data/unprotected-upgrade/0.8.15/Reinitializer.sol b/tests/e2e/detectors/test_data/unprotected-upgrade/0.8.15/Reinitializer.sol new file mode 100644 index 0000000000..d8a81a4cea --- /dev/null +++ b/tests/e2e/detectors/test_data/unprotected-upgrade/0.8.15/Reinitializer.sol @@ -0,0 +1,15 @@ +import "./Initializable.sol"; + +contract Reinitializer is Initializable { + address payable owner; + + function initialize() external reinitializer(2) { + require(owner == address(0)); + owner = payable(msg.sender); + } + + function kill() external { + require(msg.sender == owner); + selfdestruct(owner); + } +} diff --git a/tests/e2e/detectors/test_data/unprotected-upgrade/0.8.15/Reinitializer.sol-0.8.15.zip b/tests/e2e/detectors/test_data/unprotected-upgrade/0.8.15/Reinitializer.sol-0.8.15.zip new file mode 100644 index 0000000000000000000000000000000000000000..e58f71c44bf6463efc884abc9f72584f15f2e395 GIT binary patch literal 3691 zcma)<=QkUU0)}JnRchAWl&Vpx)QC~kR>a=Kh`mW|8nri3qi7I{+M}^oYwubyYt~*R z+~4nhzvtZd{qUUkocAAibTn{q3G$Y__?<_1Lu02JE+0NeloK+hfw0sDZh zUBN;2Uc%n)u9o%z9`0T~meyXjPGCQKVP|i52oWwGz#ISw0{~>>;vB{9#5{{8M;l*} z!TTU!ZWK#&f*#{*);aGE+UIA%#JsF+t|5PNgjsjEC^(u2TIv(ZSB*Hm_Iq`>p1t-EygP;@nm(IrM#Wd8aI6n+o{- z>7k=F6j#NKGJtC%```h;Ct?NvskJ!-l_an>U=k2pI#V7)7d^P1U|O$}(kjwZPN{x* zrDe8`BXKjF(aZepWb~Y5_w`C=RMOIqXkff-;}kc?(4%2vLmpfcKi$%Crbmg0?sZnA zhV!oK`=nMlm$mg>?pRW~^--Z_dXD7!aWm1(q&e_Pnv`2~W8> zW!PS10IlUHnztZucStX`GWuJwSdxDiSg%tHe>@jw)9>Mi*uH`D5Gi0j zrQAkPeS7XoHZI{j)W5fa`u&{1EjDgzxa_0+oS7v+qJv8yO(I;8D-zNy#8u&Pmi>k( zdh&`a0Jf%*ab<*ydH9 z7wcw22bLgVy1$?P!eX~FKKCJKN{C8>YD6v>w6|Bs;b*tlrid_PafH$;+`931{-%ng z6d7lIBmJ|sItnuQWfW6U>fxK^8CY!r4Aj3py$2o`_d37<+DQC1{LI2iC7%I zFzy8q`fDjTuvnQq_bjaF(ob47<#`7Oy1@Tc5}MC81m;0#`KhCGigR%8gEVjQXRdog zY_YXWS_AS0EVcUpah(2L0biJ;a#8jdhF5QZCtr;Y#~K2=%>=KS=LO$#1N-2yjxF8S zryK&oCW&kjusi*$Jq1cW&ec$J7i1LwS#b9p2|gn3I2rtZ48JxvR2WtEP9=TPUT1 z{pVB5)m-%SvNV0a@LNzFUk30sH@&W?MRtD@@(QLJ>8AM7WOchhX@mgTb*;>1fPMJC~zlQ<0UvwrS6 z|K(Q@b2ieJo1Z+=T@%Hw*+}!t>EovSkvhA&S46D@CemI}W9ueIHnoT5&xxi^El3Avc3>`A|E2fIKO>u zWvl%nrjXr;G9(@iqE7aQ3g-N z$=ezj6H3~KdQ!gxk7bp-JcaGrvZc>9khZ;4d{Q9n*sqGBQOx(XIl1Vq%jtc_+nqe{ z@kp!i6w$hN0rYH^X?JKTajE74LriTj@*OM{rLpYQ#?-tYtGNvujaje{2;xWtn=z7- z-ub1bo+cskkG9yf3ES-GhqXw_xDX`R;zJw>F0hwOb3#UB^Rc6{FBrHtHER!u@E$ED zwAMN86rj)ILdhRj?u3%F%ZRW57@DiEo-zjcF65G_8iY!{-l>#ng!x}kZk~LxPy>;^ zz}*>zfp)st2r6c32k466A|%YNNQ10(UwL{{M@D@duABB6&VA4$y`#U=d|Ou|(G~}D zk3}*?)C|b>ik|Ro4QO>HPE)z72pL;)(*+5hb*(w*U)lGZzUkEzdcc^ zcEfPpmaz1-&E~}?sh%szW9AjJ4E-mrwEF<+3F#wj3rq_+TecBL(6ijs%AYX8H!Fkw z1LF)Ss{6S6ueX2kvRk!DXWz@_plmQqtizJ6=g9&(BbX zm>Yy2(-Hnfp!U(NHun@*ppD4QXrQWek*q&x&}$^&=QI97N(3DYjzG?sARQFuY%Q4- z@BXsAv#P)tEK8aN8lGoF(y=F9DP(c}X6UtPPYviFh{bJ?#%%r|DU}?ET$T4p9w8H( zhUMkezYNZQ9#v9~V8{R@zbr5wi(OinH;4@nq%x{tJ9L3P&KPn!zq4%r_&jEHz>bsaRoE7XFszMrnP6Oj;<`a{tG4~W$_7Dc4!BoJ;z5@&8iIH~30SQ(A7 z9IkPBno~SsHM#kW{KsFCAvUXeJ5#3~8oER3-rLZxnD~L65f@YZnwL z;(`s392c5pCWz1^Wl?_sre-M9(S<74eyR1!*$f3hA zYcS1HOC(a7HWZwBc=P}VQM7{{Y;ogJ?<7^l-*sMt$_g=XEnz;C?tCmQo)q5O(UNW% zsgvmUSd@duFv6b2;-KJY(xSSh;`WG=Yd<%e>~6OJ+T~I*WY%~ds_>Yxa6)nKgYYYt z*y!?#bLw`V4qb;GGGdD{8LQzS4!NH9Rr)j1PWuh09(K9J{x=#@X)q@0#mbP4{MRWe8u=7kGmR*Mk_V!lObaZl68f;4qMb~uUrdXF(J^sm!hm#NnimxWp z45mYgK2J2d5mU>KK?hU`I|oyF)L{?5CFjAfE^z;}0BOtMv`>DN@_cT7-a5G{AQ9Ui zTX&HcCAXMoJ#l>62k})r#*h#;eUc7eKN3y8Q4mSO>prW76EBi36~&D?Ku(Y*MWFbH zeNPw{U$D11asbr+Y3S5+F~nhiC{VnKAP%h=5*h^!N>$xacrV*kbH?~y+q>Y!jW`j) zS_Y{&zJO*TQRl;Qw*U1M9= zN6E$s5=pOt2pR^;Zaw+TRXxhtVu7#=HZb6DI*dMtt-+$)PjDcea6j^_WR_sLu_Zgq z{+&5~o=3oDMA{Z7F-w6&w91y4>AfB*Scd5jiV_B=ztt=IASLOy;#9v7aj))TA zd-jf3YU|1q=F!vb&LbD2x+8e|)G(VW40VT-c)Z6vF7PK|gNSb{C8$CpJsB!BTsL1Q zm`Ss??zWq~-}?AQ2TqtZnD3*0fEe$J8x5Faa(*F3?LU)ZeQFNaMr{g{Kq8YGEc+hL s3Ez(BXkcN>;rwq0{6_=-n=q_@@qZbijs_n7zh|s}s{aqM$^Tvd0lrZlAOHXW literal 0 HcmV?d00001 diff --git a/tests/e2e/detectors/test_detectors.py b/tests/e2e/detectors/test_detectors.py index 28dcc5e755..a3dc933a34 100644 --- a/tests/e2e/detectors/test_detectors.py +++ b/tests/e2e/detectors/test_detectors.py @@ -938,6 +938,16 @@ def id_test(test_item: Test): "whitelisted.sol", "0.4.25", ), + Test( + all_detectors.UnprotectedUpgradeable, + "Reinitializer.sol", + "0.4.25", + ), + Test( + all_detectors.UnprotectedUpgradeable, + "AnyInitializer.sol", + "0.4.25", + ), Test( all_detectors.UnprotectedUpgradeable, "Buggy.sol", @@ -953,6 +963,16 @@ def id_test(test_item: Test): "whitelisted.sol", "0.5.16", ), + Test( + all_detectors.UnprotectedUpgradeable, + "Reinitializer.sol", + "0.5.16", + ), + Test( + all_detectors.UnprotectedUpgradeable, + "AnyInitializer.sol", + "0.5.16", + ), Test( all_detectors.UnprotectedUpgradeable, "Buggy.sol", @@ -968,6 +988,16 @@ def id_test(test_item: Test): "whitelisted.sol", "0.6.11", ), + Test( + all_detectors.UnprotectedUpgradeable, + "Reinitializer.sol", + "0.6.11", + ), + Test( + all_detectors.UnprotectedUpgradeable, + "AnyInitializer.sol", + "0.6.11", + ), Test( all_detectors.UnprotectedUpgradeable, "Buggy.sol", @@ -978,6 +1008,16 @@ def id_test(test_item: Test): "Fixed.sol", "0.7.6", ), + Test( + all_detectors.UnprotectedUpgradeable, + "Reinitializer.sol", + "0.7.6", + ), + Test( + all_detectors.UnprotectedUpgradeable, + "AnyInitializer.sol", + "0.7.6", + ), Test( all_detectors.UnprotectedUpgradeable, "whitelisted.sol", @@ -998,6 +1038,16 @@ def id_test(test_item: Test): "whitelisted.sol", "0.8.15", ), + Test( + all_detectors.UnprotectedUpgradeable, + "Reinitializer.sol", + "0.8.15", + ), + Test( + all_detectors.UnprotectedUpgradeable, + "AnyInitializer.sol", + "0.8.15", + ), Test( all_detectors.ABIEncoderV2Array, "storage_ABIEncoderV2_array.sol", From 314ceeb3c28b84a955e1dc010342c328ed5162e7 Mon Sep 17 00:00:00 2001 From: "Khang Vo (doublevkay)" Date: Thu, 26 Oct 2023 16:47:13 +0700 Subject: [PATCH 2/4] remove ambiguous relation between _is_upgradeable and _is_upgradeable_proxy --- slither/core/declarations/contract.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/slither/core/declarations/contract.py b/slither/core/declarations/contract.py index 458f951f56..359658cbd6 100644 --- a/slither/core/declarations/contract.py +++ b/slither/core/declarations/contract.py @@ -1337,8 +1337,6 @@ def update_read_write_using_ssa(self) -> None: def is_upgradeable(self) -> bool: if self._is_upgradeable is None: self._is_upgradeable = False - if self.is_upgradeable_proxy: - return False initializable = self.file_scope.get_contract_from_name("Initializable") if initializable: if initializable in self.inheritance: From 2b81c02c612929c26bded0b32f87fde7d05ea040 Mon Sep 17 00:00:00 2001 From: "Khang Vo (doublevkay)" Date: Mon, 30 Oct 2023 12:08:20 +0700 Subject: [PATCH 3/4] make lint --- slither/detectors/statements/unprotected_upgradeable.py | 4 ---- 1 file changed, 4 deletions(-) diff --git a/slither/detectors/statements/unprotected_upgradeable.py b/slither/detectors/statements/unprotected_upgradeable.py index b032114232..59f27fc580 100644 --- a/slither/detectors/statements/unprotected_upgradeable.py +++ b/slither/detectors/statements/unprotected_upgradeable.py @@ -49,10 +49,6 @@ def _whitelisted_modifiers(f: Function) -> bool: # https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/blob/3dec82093ea4a490d63aab3e925fed4f692909e8/contracts/proxy/utils/UUPSUpgradeable.sol#L38-L42 return "onlyProxy" not in [modifier.name for modifier in f.modifiers] - -import re - - def _initialize_functions(contract: Contract) -> List[Function]: return list( filter( From ca851e2d079fb601826e3ad09458cb00af9b64e3 Mon Sep 17 00:00:00 2001 From: "Khang Vo (doublevkay)" Date: Mon, 30 Oct 2023 12:08:50 +0700 Subject: [PATCH 4/4] make lint --- slither/detectors/statements/unprotected_upgradeable.py | 1 + 1 file changed, 1 insertion(+) diff --git a/slither/detectors/statements/unprotected_upgradeable.py b/slither/detectors/statements/unprotected_upgradeable.py index 59f27fc580..d25aff187d 100644 --- a/slither/detectors/statements/unprotected_upgradeable.py +++ b/slither/detectors/statements/unprotected_upgradeable.py @@ -49,6 +49,7 @@ def _whitelisted_modifiers(f: Function) -> bool: # https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/blob/3dec82093ea4a490d63aab3e925fed4f692909e8/contracts/proxy/utils/UUPSUpgradeable.sol#L38-L42 return "onlyProxy" not in [modifier.name for modifier in f.modifiers] + def _initialize_functions(contract: Contract) -> List[Function]: return list( filter(